Do not inject GLSAs into the checkfile when fixing them

There is no reason applied GLSAs must be stored in a checkfile. In the
current glsa-check GUI this will make it impossible to determine whether
the system is still affected by the GLSA (e.g. by re-emerging, or when a
GLSA is changed afterwards).

The current place for the checkfile (/var/cache) is not persistent per
FHS, meaning that people might clean out the contents of their injected
GLSAs. Since glsa.py is moving to portage anyway, we can use
/var/lib/portage as a place to store the injected GLSAs. Documentation
has been updated accordingly.

Note that the old checkfile should not be moved to the previous location
on upgrade since this will cause false negatives due to the above
arguments. A message should appear on upgrade (pkg_postinst or similar).

svn path=/trunk/gentoolkit/; revision=649

diff --git a/bin/glsa-check b/bin/glsa-check
index d5ac4e1ff3e6f2d7c8f71d2ff712fa963763e1e7..3c91d5e6cb0c904f78b0d27f51f3b134b183bd4b 100644 (file)
--- a/bin/glsa-check
+++ b/bin/glsa-check
@@ -29,7 +29,7 @@ optionmap = [
 ["-t", "--test", "test if this system is affected by the given GLSA"],
 ["-p", "--pretend", "show the necessary commands to apply this GLSA"],
 ["-f", "--fix", "try to auto-apply this GLSA (experimental)"],
-["-i", "--inject", "inject the given GLSA into the checkfile"],
+["-i", "--inject", "inject the given GLSA into the glsa_injected file"],
 ["-n", "--nocolor", "disable colors (option)"],
 ["-e", "--emergelike", "do not use a least-change algorithm (option)"],
 ["-h", "--help", "show this help message"],
@@ -204,7 +204,7 @@ def summarylist(myglsalist, fd1=sys.stdout, fd2=sys.stderr, encoding="utf-8"):
        fd1 = codecs.getwriter(encoding)(fd1)
        fd2 = codecs.getwriter(encoding)(fd2)
        if not quiet:
-               fd2.write(white("[A]")+" means this GLSA was already applied,\n")
+               fd2.write(white("[A]")+" means this GLSA was marked as applied (injected),\n")
                fd2.write(green("[U]")+" means the system is not affected and\n")
                fd2.write(red("[N]")+" indicates that the system might be affected.\n\n")
 
@@ -216,7 +216,7 @@ def summarylist(myglsalist, fd1=sys.stdout, fd2=sys.stderr, encoding="utf-8"):
                        if verbose:
                                fd2.write(("invalid GLSA: %s (error message was: %s)\n" % (myid, e)))
                        continue
-               if myglsa.isApplied():
+               if myglsa.isInjected():
                        status = "[A]"
                        color = white
                elif myglsa.isVulnerable():
@@ -289,7 +289,6 @@ if mode in ["dump", "fix", "inject", "pretend"]:
                                                sys.exit(exitcode)
                        if len(mergelist):
                                sys.stdout.write("\n")
-                       myglsa.inject()
                elif mode == "pretend":
                        sys.stdout.write("Checking GLSA "+myid+"\n")
                        if not myglsa.isVulnerable():

diff --git a/man/glsa-check.1 b/man/glsa-check.1
index 3cfca23b06383bd235d7296699db2a74008949ff..e31e3392d3085e268f4c267f0dc7916f3f977002 100644 (file)
--- a/man/glsa-check.1
+++ b/man/glsa-check.1
@@ -36,7 +36,7 @@ show the necessary commands to apply this GLSA
 try to auto\-apply this GLSA (experimental)
 .TP 
 .B \-i, \-\-inject
-inject the given GLSA into the checkfile
+inject the given GLSA into the glsa_injected file
 .TP 
 .B \-n, \-\-nocolor
 disable colors (option)
@@ -58,3 +58,9 @@ be less verbose and do not send empty mail (option)
 .TP 
 .B \-m, \-\-mail
 send a mail with the given GLSAs to the administrator
+.SH "FILES"
+.LP 
+.TP 
+.B /var/lib/portage/glsa_injected
+List of GLSA ids that have been injected and will never show up as 'affected' on this system.
+The file must contain one GLSA id (e.g. '200804-02') per line.

diff --git a/pym/gentoolkit/glsa/__init__.py b/pym/gentoolkit/glsa/__init__.py
index 2ee294f7e40bc48f789e9aeb0cd5a4d0c8798636..d28383527c3da42b9a3aec7ae42f9eb6c3e7ddb7 100644 (file)
--- a/pym/gentoolkit/glsa/__init__.py
+++ b/pym/gentoolkit/glsa/__init__.py
@@ -117,7 +117,7 @@ def checkconfig(myconfig):
                "GLSA_DIR": portage.settings["PORTDIR"]+"/metadata/glsa/",
                "GLSA_PREFIX": "glsa-",
                "GLSA_SUFFIX": ".xml",
-               "CHECKFILE": "/var/cache/edb/glsa",
+               "CHECKFILE": "/var/lib/portage/glsa_injected",
                "GLSA_SERVER": "www.gentoo.org/security/en/glsa/",      # not completely implemented yet
                "CHECKMODE": "local",                                                           # not completely implemented yet
                "PRINTWIDTH": "76"
@@ -669,14 +669,16 @@ class Glsa:
                                                        or (None != getMinUpgrade([v,], path["unaff_atoms"]))
                return rValue
        
-       def isApplied(self):
+       def isInjected(self):
                """
-               Looks if the GLSA IDis in the GLSA checkfile to check if this
-               GLSA was already applied.
+               Looks if the GLSA ID is in the GLSA checkfile to check if this
+               GLSA should be marked as applied.
                
                @rtype:         Boolean
-               @returns:       True if the GLSA was applied, False if not
+               @returns:       True if the GLSA is in the inject file, False if not
                """
+               if not os.access(self.config["CHECKFILE"], os.R_OK):
+                       return False
                aList = portage.grabfile(self.config["CHECKFILE"])
                return (self.nr in aList)
 
@@ -689,7 +691,7 @@ class Glsa:
                @rtype:         None
                @returns:       None
                """
-               if not self.isApplied():
+               if not self.isInjected():
                        checkfile = open(self.config["CHECKFILE"], "a+")
                        checkfile.write(self.nr+"\n")
                        checkfile.close()